Critical Vulnerabilities in Log4j - remote code execution - Urgent Information - CVE-2021-44228

Monday, December 20, 2021

Caro Cliente,

No seguimento da mensagem enviada há uma semana relativa à vulnerabilidade do módulo Apache Log4J (versões 2.x) e, no decorrer de aplicação das correções (nomeadamente para a versão 2.16) foram, entretanto, reportadas duas vulnerabilidades adicionais relativamente a este módulo, afetando também versões 1.x :

• CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)

• CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0)

Deste modo é recomendada uma das seguintes ações:

Aplicar as correções disponibilizadas pelo fabricantes que incluam o módulo Log4J referido
Efetuar a atualização do Log4J para a versão 2.17.0
Desabilitar a classe JMSAppend
A Claranet encontra-se a acompanhar o problema, tendo já atuado nos seus sistemas internos.

Continuará, deste modo, a acompanhar e a atuar no âmbito dos serviços prestados aos clientes, e de acordo com a informação disponível a cada momento.

Referências:

https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surprise-theres-a-217-fixing-dos/
https://www.zdnet.com/article/apache-releases-new-2-17-0-patch-for-log4j-to-solve-denial-of-service-vulnerability/
https://www.kb.cert.org/vuls/id/930724 


------------

Dear Customer,

Following the message sent a week ago regarding the vulnerability of the Apache Log4J module (versions 2.x) and, in the course of applying the patches (namely to  version 2.16), two additional vulnerabilities concerning this module were reported, affecting also 1.x versions:

• CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)

• CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0)

Thus, one of the following actions is recommended:

Apply the fixes made available by the manufacturers that include the aforementioned Log4J module
Update Log4J to version 2.17.0
Disable the JMSAppend class
Claranet is following up on the issue, having already worked on its internal systems.

In this way, it will continue to monitor and act within the scope of the services provided to customers, and in accordance with the information available at any time.

References:

https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surprise-theres-a-217-fixing-dos/
https://www.zdnet.com/article/apache-releases-new-2-17-0-patch-for-log4j-to-solve-denial-of-service-vulnerability/
https://www.kb.cert.org/vuls/id/930724 

« Voltar